Using an Active Directory Server with the Configuration Manager

To use an Active Directory server as a repository for the Configuration Manager data,
the schema of the server must be extended to feature the object classes and attributes
used to store configuration data. A schema extension file named apoc-ad.ldf can be found in the ad subdirectory of the Configuration Manager deployment
tool provided on the Management Tools CD. Refer to the deployment tool section for
more information.

The apoc-ad.ldf file must be imported in the Active Directory
schema using the following steps:

Enable schema extensions. Refer to Active Directory documentation
or more information how to perform that operation.

In order to prepare the Active Directory server to store configuration data,
the deployment tool must be used. The schema having already been extended by the previous
step of the installation, only the createServiceTree script needs
to be run. It must be started from the deployment tool directory as any user by the
following: ./createServiceTree. The script prompts the user for
the information about the Active Directory database. A default mapping file using
typical object classes and attributes featured in Active Directory is provided in
the ad subdirectory of the deployment tool directory. This file is called OrganisationalMapping and can be deployed by copying it over the file with
the same name in the main deployment tool directory prior to launching createServiceTree.

From that point, the Active Directory server can be used with the Configuration Manager.
When installing the Configuration Manager, provide the full DN and password of a user
with read rights to the tree. This can be a user that is not able to use Active Directory
for any other purpose. Refer to Active Directory documentation for more information
on how to setup such a user. In addition, the domain name for the Active Directory
must be known to the machine that is running the Configuration Manager. You can do this
by adding a line mapping the IP address of the Active Directory server with its domain
name to the /etc/hosts file of that machine.

In order to retrieve the configuration data from a Java Desktop System host,
the domain name of the Active Directory must also be known to that host. Authentication
of the Java Desktop System user can be done in two ways: anonymously and using GSSAPI.

To authenticate using anonymous connections, the Active Directory
server must be configured to grant read rights to everyone. Refer to Active Directory
documentation for more information on how to perform that operation.

To authenticate using GSSAPI, the file /etc/krb5.conf,
which specifies the Kerberos parameters, must be modified to define the Active Directory
realm and point to the Active Directory server as its Key Distribution Center (KDC).
It must also specify, as the default encryption types, the DES types supported by
Active Directory, namely des-cbc-crc and des-cbc-md5. Refer
to the Kerberos documentation for more information on how to perform that operation.
Before accessing the configuration data, valid credentials for the user who is logged
in the Java Desktop System must be obtained. This can be performed manually by running
the kinit command and by providing the user password defined in
Active Directory. Other schemes may generate these credentials automatically at login.
Refer to the Java Desktop System documentation for further information.